{"id":967,"date":"2013-12-24T21:30:25","date_gmt":"2013-12-24T20:30:25","guid":{"rendered":"http:\/\/diablo.craem.net\/wordpress\/?p=967"},"modified":"2013-12-24T21:30:25","modified_gmt":"2013-12-24T20:30:25","slug":"protegiendo-nuestro-gateway-sip","status":"publish","type":"post","link":"https:\/\/diablo.craem.net\/?p=967","title":{"rendered":"Protegiendo nuestro gateway SIP"},"content":{"rendered":"<p>Desde hace tiempo, en los gateways SIP, proxys o centralitas que tengo publicados en internet, he visto un aumento importante de los ataques y escaneos&#8230;. no me quita el sue\u00f1o, pero siempre me queda la \u00abintranquilidad\u00bb de .. \u00c2\u00bfy si un d\u00ed\u00ada acaban entrando ?.<br \/>\nCapturando paquetes con ngrep, veo la siguiente traza &#8230;<br \/>\n<code><br \/>\n#<br \/>\nU +113.591586 46.251.228.241:5065 -&gt; 192.168.10.17:5060<br \/>\nOPTIONS sip:100@192.168.2.17:5060 SIP\/2.0<br \/>\nVia: SIP\/2.0\/UDP 46.251.228.241:5065;branch=z9hG4bK-3879111841;rport<br \/>\nContent-Length: 0<br \/>\n<strong>From: \"sipvicious\"<\/strong>&lt;sip:100@1.1.1.1&gt;;tag=3664343530613930313363340131333838313931323031<br \/>\nAccept: application\/sdp<br \/>\n<strong>User-Agent: friendly-scanner<\/strong><br \/>\n<strong>To: \"sipvicious\"<\/strong>&lt;sip:100@1.1.1.1&gt;<br \/>\nContact: sip:100@46.251.228.241:5065<br \/>\nCSeq: 1 OPTIONS<br \/>\nCall-ID: 1162121562622760871341331<br \/>\nMax-Forwards: 70<br \/>\n<\/code><br \/>\n46.251.228.241 = es uno de los amigos que me intenta atacar<br \/>\n192.168.10.17 = La ip interna de un asterisk<br \/>\nFrom: \u00absipvicious\u00bb = El identificador del software que hace el ataque<br \/>\nUser-Agent: friendly-scanner = Cadena que identifica el software, que el caso de los tel\u00e9fonos, por ejemplo un snom 320 es : <strong>User-Agent: snom320\/8.7.3.7 <\/strong><br \/>\nInvestigando el iptables y googleando veo <a href=\"https:\/\/ithelpblog.com\/voice\/prevent-or-deny-sip-dos-attack-sip-scanner-by-iptables-firewall\/\">\u00e9sto<\/a>, as\u00ed\u00ad que manos a la obra y hago este script:<br \/>\n<code><br \/>\niptables -N SIPDDOS<br \/>\niptables -A INPUT -i eth0 -p udp -m udp --dport 5060 -m string --string \"sundayddr\" --algo bm --to 65535 -m comment --comment \"deny sundayddr\" -j SIPDDOS<br \/>\niptables -A INPUT -i eth0 -p udp -m udp --dport 5060 -m string --string \"sipsak\" --algo bm --to 65535 -m comment --comment \"deny sipsak\" -j SIPDDOS<br \/>\niptables -A INPUT -i eth0 -p udp -m udp --dport 5060 -m string --string \"sipvicious\" --algo bm --to 65535 -m comment --comment \"deny sipvicious\" -j SIPDDOS<br \/>\niptables -A INPUT -i eth0 -p udp -m udp --dport 5060 -m string --string \"friendly-scanner\" --algo bm --to 65535 -m comment --comment \"deny friendly-scanner\" -j SIPDDOS<br \/>\niptables -A INPUT -i eth0 -p udp -m udp --dport 5060 -m string --string \"iWar\" --algo bm --to 65535 -m comment --comment \"deny iWar\" -j SIPDDOS<br \/>\niptables -A INPUT -i eth0 -p udp -m udp --dport 5060 -m string --string \"sip-scan\" --algo bm --to 65535 -m comment --comment \"deny sip-scan\" -j SIPDDOS<br \/>\niptables -A SIPDDOS -j LOG --log-prefix \"firewall-sipddos: \" --log-level 6<br \/>\niptables -A SIPDDOS -j DROP<br \/>\n<\/code><br \/>\nPara ver si es efectivo, esperamos un rato y de mientras miramos en \/var\/log\/syslog &#8230;&#8230;. y encontramos ya un intento \ud83d\ude42<br \/>\n<code><br \/>\n..<br \/>\nposeidon kernel: [1710588.138605] firewall-sipddos: IN=eth0 OUT= MAC=00:0c:29:2d:1e:1f:00:0e:38:d5:26:0f:08:00 SRC=183.87.140.226 DST=192.168.2.17 LEN=438 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=5069 DPT=5060 LEN=418<br \/>\n<\/code><br \/>\nNuestro IPTABLES, ya se ha encargado de filtrar este intruso&#8230; ahora a seguir con ngrep&#8230;.<br \/>\nRecordamos el comando :<br \/>\n<code><br \/>\nngrep -d any -P ' ' -W byline -T port 5060<br \/>\n<\/code><br \/>\nY enjoy your rules \ud83d\ude09<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Desde hace tiempo, en los gateways SIP, proxys o centralitas que tengo publicados en internet, he visto un aumento importante de los ataques y escaneos&#8230;. no me quita el sue\u00f1o, pero siempre me queda la \u00abintranquilidad\u00bb de .. \u00c2\u00bfy si un d\u00ed\u00ada acaban entrando ?. Capturando paquetes con ngrep, veo la siguiente traza &#8230; # [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,5],"tags":[],"class_list":["post-967","post","type-post","status-publish","format-standard","hentry","category-asterisk","category-linux"],"_links":{"self":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts\/967","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=967"}],"version-history":[{"count":0,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts\/967\/revisions"}],"wp:attachment":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=967"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=967"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=967"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}